CVE-2024-8066 — Unrestricted File Upload in Filester

CWE-434 — Unrestricted File Upload3 documents3 sources

Severity

8.8HIGHNVD

CNA7.5

EPSS

4.8%

top 10.53%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ninjateam Filester Ninjateam File Manager PRO Filester

Timeline

PublishedNov 28

Description

The File Manager Pro – Filester plugin for WordPress is vulnerable to arbitrary file uploads due to missing validation in the 'fsConnector' function in all versions up to, and including, 1.8.6. This makes it possible for authenticated attackers, with Subscriber-level access and above, and granted permissions by an Administrator, to upload a new .htaccess file allowing them to subsequently upload arbitrary files on the affected site's server which may make remote code execution possible.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5ninjateam/file_manager_pro_filester1.8.6

▶NVDninjateam/filester< 1.8.7

Patches

Patch: plugins.trac.wordpress.org ↗

🔴Vulnerability Details

GHSA

GHSA-rgw5-2p37-xfw9: The File Manager Pro – Filester plugin for WordPress is vulnerable to arbitrary file uploads due to missing validation in the 'fsConnector' function i↗2024-11-28

▶

CVEList

File Manager Pro – Filester <= 1.8.6- Authenticated (Subscriber+) Arbitrary File Upload↗2024-11-28

▶